- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Consumer Rights and Information
Exercise of Consumer Rights/Opt-Outs
Definitions
Other statutes and enforcement
Statutory Construction and Regulation
Miscellaneous Provisions
CPRA Only
Full Text
State Privacy Law Tracker
Do job applicants need to be given a privacy notice?
Yes.
The CCPA applies to personal information held about “consumers” – a term which is defined as referring to any resident of California.1 As a result, if a business is governed by the CCPA, the rights conferred by the statute – including the right to receive a privacy notice — apply to any job applicants about whom the business collects personal information that are California residents.
Does the CCPA apply to the personal information of employees?
Yes.
The CCPA applies to personal information held about “consumers” – a term which is defined as referring to any resident of California.1 As a result, if a business is governed by the CCPA, the rights conferred by the statute apply to the business’s employees.
While the CCPA applies to data collected about employees, the California legislature passed an amendment in 2019 (Senate Bill 25) that effectively phased-in the rights afforded to employees over the course of 2020. Pursuant to the amendment, those provisions of the CCPA found within Sections 100(b) and 150 applied immediately to employees.2 These included the obligation that a business inform an employee “at or before the point of collection” of the personal information to be collected and the purposes for which the information will be used.3 They also included the ability of an employee to bring suit if an employer failed to adequately protect sensitive category information.5 Employee’s personal information was exempted from other provisions of the CCPA until January 1, 2021 (e.g., access rights, deletion rights, sale rights, etc.).5
Does the CCPA apply to information about businesses?
The CCPA only applies to personal information about “consumers,” a term which is defined as “a natural person who is a California resident.”1 As corporations or other legal entities are not people, the CCPA does not apply to information that relates to them. That said, to the extent that information that relates to a business also relates to a real person, and either identifies them or makes the person identifiable, it would be within the scope of the CCPA. As an example, an online rating of a company called Best Dentist would not be governed by the CCPA. An online rating of an office named John Smith DDS (after the dentist that practices there) would (or will) be governed by the CCPA.
It is worth noting, however, that to the extent that information relates to an “employee, owner, director, officer, or contractor” of a company, the obligations of the CCPA phase in over time. Specifically, some provisions went into effect on January 1, 2020, such as possible liability following a data security breach that includes sensitive category information. Other provisions become effective on January 1, 2021, such as the ability of the employee, owner, director, officer, or contractor to request access to their personal information.2
If a company has California employees is it subject to the CCPA?
Not necessarily.
Although the CCPA’s definition of “consumer” includes employees that reside in California,1 the CCPA applies only to a “business” — a term that is defined as being an entity that “does business in the State of California” and that meets one of the following three thresholds:
- Annual gross revenue in excess of $25 million,
- Purchase, receives for commercial purposes, sells, or shares for commercial purposes, personal information of 50,000 or more consumers, or
- Derives 50% of annual revenue from selling consumer personal information.2
The net result is that if a business meets one of the three thresholds established for gross revenue, quantity of data points, or revenue-generated by the sale of personal information, and has California employees, then it will be subject to the CCPA. If a business does not meet one of the three thresholds set forth above, but has California employees, then it will not be subject to the CCPA.
CCPA Security FAQs: Can non-California residents bring a class action under the CCPA following a data breach?
No.
“Consumers” can bring suit under the CCPA if they can prove the following five elements:
- A business incurred a data breach;
- The data breach involved a sensitive category of information identified in Cal. Civil Code Section 1798.81.5;
- The business had a legal duty to protect the personal information from breach;
- The business failed to implement reasonable security procedures and practices; and
- The business’s failure resulted in (i.e., caused) a data breach.
While the common definition of “consumer” suggests that it refers to an individual that has “consumed” a product or a service in relation to a company, the definition ascribed by the CCPA is that a “consumer” is any “natural person who is a California resident.”1 As a result individuals that are not residents of California are not permitted to bring suit under the statute.
1. CCPA, Section 1798.140(g) (emphasis added).
CCPA Privacy FAQs: Does the CCPA apply to personal data about non-Californians (e.g., Europeans)?
Although the California Consumer Privacy Act (“CCPA”) is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”). To help address that confusion, BCLP has published a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA. You can play a video discussion of this FAQ here or find a complete archive of FAQs at www.ccpa-info.com.
Q. Does the CCPA apply to personal data about non-Californians (e.g., Europeans)?
No.
Some data privacy laws are designed to apply to personal data collected about individuals that live beyond the country’s borders. Most notably, if a company is subject to the general jurisdiction of the European GDPR because it is processing personal data in the context of an establishment within the European Union, the GDPR purports to apply to all personal data – regardless of the residency of the person about whom the data relates. So, for example, if a company processes data in Paris, the GDPR purports to apply to that data regardless of whether the data is about Parisians or Americans.1 The net result is that if the GDPR attaches, it may apply to data subjects “whatever their nationality or place of residence.”2
The CCPA, on the other hand applies only to “consumers” a term that is expressly defined as including only “a natural person who is a California resident.”3 As a result, if a company processes data in Los Angeles, the CCPA applies only to the personal information processed about Californians; it does not apply to information processed about residents of other states or countries.
1. It is worth nothing that if a company that is not established within the European Union is subject to the more limited jurisdiction of the GDPR by offering goods or services to Europeans, or monitoring the behavior of Europeans the GDPR does not purport to apply to individuals outside of Europe (i.e., Americans).
2. GDPR, Recital 14.
3. Cal. Civil Code 1798.140(g) (emphasis added).
CCPA Security FAQs: Can employees bring a class action under the CCPA following a data breach?
More than likely.
“Consumers” can bring suit under the CCPA if they can prove the following five elements:
- A business incurred a data breach;
- The data breach involved a sensitive category of information identified in California Civil Code Section 1798.81.5;
- The business had a legal duty to protect the personal information from breach;
- The business failed to implement reasonable security procedures and practices; and
- The business’s failure resulted in (i.e., caused) a data breach.
While the common definition of “consumer” suggests that it refers to an individual that has “consumed” a product or a service in relation to a company, the definition ascribed by the CCPA is far broader. The term is defined to include any “natural person who is a California resident.”1 Read literally, the phrase includes not only an individual that consumes a product (e.g., a customer of a store), but also that store’s California-based employees, and California-based business contacts or prospective customers.
It is worth noting that various legislative amendments have been proposed which would modify the definition of “consumer” to exclude employees. As of the date of publication, the only remaining proposed amendment concerning the applicability of the CCPA to employees would functionally delay the application of the CCPA’s privacy provisions to employee data an additional 12 months (i.e., until January 1, 2021), but not exempt employees altogether.2 Specifically, employees might still be able to bring suit following a data breach.
1. CCPA, Section 1798.140(g).
2. See Assembly Bill 25.